Core Concepts
R5Detect, a security monitoring software, detects and prevents control-flow attacks on unmodified RISC-V standard architectures using a combination of a memory-protected shadow stack and heuristics detection based on Hardware Performance Counters.
Abstract
The paper presents R5Detect, a security monitoring software for low-power IoT and embedded devices based on the RISC-V architecture. R5Detect combines two approaches to detect and prevent control-flow attacks:
Control-Flow Integrity (CFI) monitoring:
Implements a memory-protected shadow stack to prevent runtime modifications of return addresses.
Performs binary instrumentation to check the validity of indirect jumps.
Evaluates the security and performance of the CFI approach, showing an average overhead of below 5%.
Hardware Performance Counter (HPC) monitoring:
Leverages HPCs to detect unexpected system behavior and control-flow integrity violations.
Profiles the performance of different HPC events during an offline learning phase.
Compares the runtime HPC values to the learned signatures to detect anomalies.
Discusses the limitations of HPC-based monitoring, such as the availability of HPCs on the target hardware.
The authors implement and evaluate R5Detect on standard low-power RISC-V devices, demonstrating that such security features can be effectively used with minimal hardware support.